UNCLASSIFIED

Commit 64d8d739 authored by Andy Maksymowicz's avatar Andy Maksymowicz
Browse files

Merge branch 'operator-repo-initialpush' into 'development'

Mirror of repo available on open internet.

See merge request !1
parents 8fb6dc63 b3cbc173
Pipeline #250778 failed with stages
in 40 seconds
# MongoDB Enterprise Advanced (EA) - Customer Agreement #
By agreeing to an Order Form that references this Customer Agreement (this “Agreement”), or by downloading our Software for a free trial, you agree to this Agreement. If you represent an organization, you represent and warrant that you have the authority to agree to this Agreement on behalf of your organization.
1. Definitions. The following terms have the following meanings:
“Affiliate” means an organization that controls, is controlled by, or is under common control with, a party, where “control” means direct or indirect ownership of more than 50% of the voting interests of the organization.
“Confidential Information” means information a party designates as confidential or reasonably considers as confidential, and includes pricing information on an Order Form. “Confidential Information” excludes information that is (a) or becomes publicly available through no fault of the recipient, (b) received from a third party without a duty of confidentiality, (c) independently developed by the receiving party without breaching this Agreement, or (d) rightfully known or lawfully in the possession of the receiving party prior to disclosure from the other party.
“Consulting Services” means the consulting or professional services included in your Subscription.
“Customer,” “you” and “your” means the organization that agrees to an Order Form or downloads the Software for a free trial.
“Deliverable” means a work provided to you as a part of the Consulting Services, including any report.
“Documentation” means the instructions, specifications and information regarding the Software available at https://docs.mongodb.com/.
“MongoDB,” “we,” “our” and “us” means the MongoDB company that agrees to an Order Form.
“Order Form” means an ordering document for Subscriptions signed by both parties that refers to this Agreement.
“Server” means each unit of RAM as specified on an Order Form of: (a) a physical machine, dedicated server or server blade that stores data; or (b) an instance that stores data in a public or private cloud, where “cloud” includes any type of virtualized or containerized environment (e.g., simple operating systems, virtual machines, CGroups).
“Software” means the MongoDB Enterprise database software, MongoDB Ops Manager, MongoDB Charts, MongoDB Connector for Business Intelligence, and any other software included with a Subscription, including any generally available updates to such software, but excluding open source software components, each of which has its copyright notice and license included in the license file and Documentation.
“Subscription” means a subscription for our Software, Support, or Consulting Services set forth in an Order Form.
“Support” means support, if any, included in a Subscription.
2. Subscriptions.
(a) Generally. We will provide you with the Software, Support and Consulting Services included in the Subscription. We will provide you with Support in accordance with the applicable support policy available on our website, currently available at https://www.mongodb.com/support-policy. While we may modify our support policy from time to time, we will not modify it in a way that materially and adversely affects your Support. Your Affiliates may purchase Subscriptions directly from us by signing an Order Form and you may allow an Affiliate to use your Subscriptions as long as you are responsible for the Affiliate’s compliance with this Agreement.
(b) Free Evaluation and Development. MongoDB grants you a royalty-free, nontransferable and nonexclusive license to use and reproduce the Software in your internal environment for evaluation and development purposes. You will not use the Software for any other purpose, including testing, quality assurance or production purposes without purchasing an Enterprise Advanced Subscription. We provide the free evaluation and development license of our Software on an “AS-IS” basis without any warranty.
(c) Enterprise Advanced Subscription. MongoDB grants you a nontransferable and nonexclusive license during the term of the Subscription to use and reproduce the Software in your internal environment for the purposes and on the number of Servers stated on the Order Form. You will cover each Server used by an application with an Enterprise Advanced Subscription.
3. Consulting Services. You will provide MongoDB with reasonable assistance and information to facilitate scheduling and performance of Consulting Services. You will also appoint an engagement manager to help ensure effective delivery of the Consulting Services. Consulting Services and any Deliverables are accepted when delivered unless otherwise set forth in an Order Form. We may engage qualified subcontractors to provide the Consulting Services, and we are responsible for any subcontractor’s compliance with this Agreement. We grant you a royalty-free, perpetual, nontransferable and nonexclusive license to use and reproduce any Deliverables for your internal business purposes, except for training materials, which may only be used by the individual employees who attended the training session.
4. Your Responsibilities. As a condition to your use of the Software, you will not, and will not allow any third party to: (a) decompile, disassemble, translate, reverse engineer or attempt to derive source code from any portion of the Software; (b) sell, sublicense, rent, lease, distribute, market, or commercialize the Software, your Subscription or any Deliverables, provided that you may use the Software in connection with an application available to your end customers as long as they cannot access the Software directly; (c) directly or indirectly circumvent or violate the technical restrictions of the Software; (d) remove any identification, proprietary, copyright or other notices in the Software, Documentation or Deliverables; (e) modify or create a derivative work of any portion of the Software; (f) publicly disseminate performance information about, or analysis of, the Software, including benchmarking test results, or your Subscription; (g) use the Software on more Servers than licensed on an Order Form; (h) use Support or Ops Manager, Cloud Manager, MongoDB Charts, or MongoDB Connector for Business Intelligence in connection with any application that is not covered by an Enterprise Advanced Subscription; or (i) access or use the Software in a way intended to avoid incurring fees or exceeding usage limits or quotas. You will comply with applicable laws in connection with your use of Software, Deliverables, Consulting Services and your Subscriptions, including any applicable U.S. export regulations and anti-corruption laws.
5. Payment and Taxes. You will pay undisputed fees and reimburse any business expenses as set forth on and in accordance with an Order Form. Your payment for Subscriptions is non-refundable and you may not terminate or cancel an Order Form except as stated in this Agreement. Our fees exclude and you will pay applicable taxes and similar charges, including sales, usage, excise and value added taxes. Nothing in this Agreement requires either party to pay any income taxes or similar charges of the other party. If applicable law requires you to withhold any amount from your payment, you will provide us with copies of documents related to your withholding upon our request.
6. Confidentiality. This Agreement supersedes any applicable non-disclosure agreement between the parties with respect to your use of the Software. The receiving party will use the disclosing party’s Confidential Information only in connection with this Agreement and protect the disclosing party’s Confidential Information by using the same degree of care used to protect its own confidential information, but not less than a reasonable degree of care. The receiving party will limit disclosure of the disclosing party’s Confidential Information to its and its Affiliates’ directors, officers, employees and contractors bound to confidentiality obligations at least as protective as the confidentiality provisions in this Agreement and who have a need to know the Confidential Information. The receiving party will not disclose the disclosing party’s Confidential Information to a any other third party without the disclosing party's consent, except where required to comply with applicable law or a compulsory legal order or process, provided that the receiving party will, if legally permitted, promptly notify the disclosing party. Each party will return or destroy the other party’s Confidential Information upon written request from the other party.
7. Intellectual Property. This Agreement does not transfer any right, title or interest in any intellectual property to any party, except as expressly set forth in this Agreement. You are not obligated to provide us with any suggestions or other feedback, but if you do, we may use and modify this feedback without any restriction or payment.
8. Warranties. MongoDB represents and warrants that: (a) the Software will perform substantially in accordance with the Documentation, and (b) it will perform Consulting Services and Support in a diligent and workmanlike manner consistent with industry standards. Your exclusive remedy for MongoDB’s material breach of warranty is to terminate any affected Subscription in accordance with Section 11 and receive a refund of any prepaid fees for unused Subscriptions. Except as set forth in this Section, we provide the Software, Consulting Services and Support on an “AS-IS” basis. To the fullest extent not prohibited by law, MongoDB disclaims and this Agreement excludes any implied or statutory warranty, including any warranty of title, non-infringement, merchantability or fitness for a particular purpose.
9. Limitation of Liability.
(a) Neither party will be liable to the other for any incidental or consequential damages, including lost profits or business opportunities, or any special or punitive damages.
(b) Except as set forth in Section 9(c) and 9(d), each party’s cumulative liability will not exceed the total fees payable to MongoDB by Customer under this Agreement during the 12-month period before the event giving rise to the liability.
(c) Each party’s cumulative liability under Section 10 will not exceed $3,000,000.
(d) Nothing in this Agreement limits either party’s liability for: (i) fraud or fraudulent misrepresentation; (ii) death or personal injury caused by negligence, gross negligence or intentional misconduct; (iii) Customer’s payment obligations; or (iv) any liability which cannot legally be limited.
10. Indemnification.
(a) Customer Indemnification. If a third party asserts a claim against MongoDB alleging that software, content or data used by Customer in connection with the Software or any Subscription, or provided to MongoDB in order for MongoDB to perform Consulting Services, infringes a third party’s intellectual property right (a “Claim Against Us”), Customer will defend MongoDB against the Claim Against Us at Customer’s expense, and indemnify MongoDB from any damages, reasonable legal fees and costs finally awarded against MongoDB to the extent resulting from the Claim Against Us or for amounts paid by MongoDB to settle the Claim Against Us. Customer will have no obligation to defend or indemnify MongoDB if the Claim Against Us is based on MongoDB’s unauthorized changes to Customer’s software, content, data or other information.
(b) MongoDB Indemnification. If a third party asserts a claim against Customer that the Software infringes a third party’s intellectual property right or any Deliverable infringes a third party’s copyright (a “Claim Against You”), MongoDB will defend Customer against the Claim Against You at MongoDB’s expense and indemnify Customer from any damages, reasonable legal fees and costs finally awarded against Customer to the extent resulting from the Claim Against You or for amounts paid by Customer to settle the Claim Against You. MongoDB will not be obligated to defend or indemnify Customer if the Claim Against You is based on: (i) combination of the Software with other software, content, data or business process not contemplated by Documentation; (ii) use of any older release of the Software when use of a newer version would have avoided the alleged or actual infringement; (iii) any modification of the Software made by anyone other than MongoDB; or (iv) MongoDB's compliance with any materials, designs, specifications or instructions provided by Customer.
(c) Infringement Remedies. In addition to MongoDB’s indemnity obligations, if the Software or any Deliverable becomes, or in MongoDB’s opinion is likely to become, the subject of an infringement claim, MongoDB may at its option and expense and as Customer’s sole and exclusive remedy: (i) procure for Customer the right to make continued use of the Software or Deliverable; (ii) replace or modify the Software or Deliverable so that it becomes non-infringing; or (iii) terminate Customer’s license to the Software or Deliverable and refund any prepaid fees for unused Subscriptions.
(d) Indemnification Procedures. Each party will provide the other with prompt notice of any claim. A party’s failure to provide prompt notice to the other party relieves the party of its obligation to defend and indemnify the other party only to the extent that the failure to provide notice materially harms the party’s ability to defend the claim. The indemnifying party will have sole control of the defense of the claim, including any settlement. The indemnified party will provide the indemnifying party with reasonable cooperation in connection with the defense of the claim, and may participate in the defense at its own expense. This Section 10 sets forth each party’s exclusive remedy for any third party infringement claim.
11. Term and Termination. The term of this Agreement commences when you agree to an Order Form, or you download our Software for a free trial, and will remain in effect until terminated in accordance with this Agreement. Either party may terminate this Agreement for convenience immediately upon notice if all Order Forms under this Agreement have expired or been terminated. Neither party may terminate an Order Form for convenience. If a party fails to cure a material breach of this Agreement within 30 days after receipt of written notice of the breach, the other party may terminate this Agreement and any affected Order Form. Upon termination of an Order Form or this Agreement, you will remove the Software from all Servers covered by the terminated Subscriptions. Provisions intended by their nature to survive termination of this Agreement survive termination. During the term of this Agreement and one year following termination, we may inspect your records relating to your use of the Software or Consulting Services for the purposes of verifying compliance with this Agreement.
12. General. Notices under this Agreement will be in writing and effective on the delivery date. The parties will deliver notices by personal delivery or courier to the address of the other party set forth on the Order Form. If you are located in North, Central or South America, New York law governs this Agreement, excluding any applicable conflict of laws rules or principles, and the parties agree to the exclusive jurisdiction of the courts in New York, New York. For customers located elsewhere, the law of England and Wales governs this Agreement, excluding any applicable conflict of laws rules or principles, and the parties agree to the exclusive jurisdiction of the courts in London, England. This Agreement does not create a partnership, agency relationship, or joint venture between the parties. The United Nations Convention for the International Sale of Goods does not apply to this Agreement. Unless you tell us otherwise in writing, we may refer to our relationship with you as a customer. Any assignment of this Agreement by you without our prior written consent will be null and void, except an assignment to an Affiliate or in connection with a merger or sale of all or substantially all of your assets or stock, provided that you may not assign this Agreement to a competitor of ours without our prior written consent. If any provision of this Agreement is unenforceable, that provision will be modified to render it enforceable to the extent possible to effect the parties’ intention and the remaining provisions will not be affected. The parties may amend this Agreement only by a written amendment signed by both parties. This Agreement incorporates any addenda or exhibits, and any Order Form, and comprises the parties’ entire agreement relating to the subject matter of this Agreement. Neither party has entered into this Agreement in reliance on any representations or warranties other than those expressly set forth in this Agreement or in an applicable Order Form. If any conflict exists between the provisions in this Agreement and any Order Form, the Order Form controls, and if any conflict exists between this Agreement and any addenda, exhibit or other agreement, this Agreement controls. A purchase order is for convenience only and any terms that govern the purchase order are of no effect. Customer’s purchase of any Subscription is not contingent on, and Customer has not relied on, the delivery of any future functionality, regardless of any communication about our products. Neither party will be liable for failures or delays in performance due to causes beyond its reasonable control.
# Mongodb Enterprise Kubernetes # Before You Begin #
Welcome to the MongoDB Enterprise Kubernetes Operator. The Operator enables easy deploy of the MongoDB applications into Kubernetes clusters. **PRIOR TO UTILIZING THE MONGODB ENTERPRISE ADVANCED CONTAINER, CONTACT YOUR MONGODB SALES REPRESENTATIVE.** YOUR USE OF THE MONGODB ENTERPRISE SERVER IS SUBJECT TO THE TERMS AND CONDITIONS OF THE AGREEMENT BETWEEN USAF AND THE APPLICABLE RESELLER OF THE MONGODB ENTERPRISE SERVER. SUCH AGREEMENT INCORPORATES THE TERMS & CONDITIONS OF THE MONGODB ENTERPRISE ADVANCED LICENSE AGREEMENT, THE VERSION OF WHICH CURRENT AS OF SEPTEMBER 2020 IS SET FORTH BELOW. THE MONGODB ENTERPRISE ADVANCED LICENSE AGREEMENT IS SUBJECT TO AMENDMENT AND MODIFICATION FROM TIME TO TIME.
\ No newline at end of file
# Contact Information #
For licensing and technical information, please use the following contact information:
Anton Hoffman, EAE USAF
781-996-8860
anton.hoffman@mongodb.com
Please also CC: publicsector@mongodb.com
# MongoDB Enterprise Kubernetes Operator #
Welcome to the MongoDB Enterprise Kubernetes Operator. The Operator enables easy deploy of the following applications into Kubernetes clusters:
* MongoDB - Replica Sets, Sharded Clusters and Standalones, with authentication, TLS and many more options.
* Ops Manager - our enterprise management, monitoring and backup platform for MongoDB. The Operator can install and manage Ops Manager in Kubernetes for you.
The Operator requires access to one of our database management tools - Ops Manager or Cloud Manager - to deploy MongoDB instances.
You may run Ops Manager either inside or outside Kubernetes, or may use Cloud Manager (cloud.mongodb.com) instead.
The Operator is currently Generally Available, supported by the [MongoDB Support Team](https://support.mongodb.com/). If you need urgent help, please file a support ticket.
For non-urgent requests, you may file a Github Issue in the public repo (https://github.com/mongodb/mongodb-enterprise-kubernetes).
You can discuss this integration in our new [Community Forum](https://community.mongodb.com/) - please use the tag [enterprise-kubernetes-operator](https://community.mongodb.com/tags/enterprise-kubernetes-operator).
## Documentation ##
[Install Kubernetes Operator](https://docs.opsmanager.mongodb.com/current/tutorial/install-k8s-operator)
[Deploy MongoDB](https://docs.mongodb.com/kubernetes-operator/stable/mdb-resources/)
[Deploy Ops Manager](https://docs.mongodb.com/kubernetes-operator/stable/om-resources/)
[MongoDB Resource Specification](https://docs.opsmanager.mongodb.com/current/reference/k8s-operator-specification)
[Ops Manager Resource Specification](https://docs.mongodb.com/kubernetes-operator/stable/reference/k8s-operator-om-specification/)
[Troubleshooting Kubernetes Operator](https://docs.opsmanager.mongodb.com/current/reference/troubleshooting/k8s/)
[Known Issues for Kubernetes Operator](https://docs.mongodb.com/kubernetes-operator/stable/reference/known-issues/)
## Requirements ##
Please refer to the [Installation Instructions](https://docs.mongodb.com/kubernetes-operator/stable/tutorial/plan-k8s-operator-install/)
to see which Kubernetes and Openshift versions the Operator is compatible with
To work with MongoDB resource this Operator requires [Ops Manager](https://docs.opsmanager.mongodb.com/current/) (Ops Manager can
be installed into the same Kubernetes cluster by the Operator or installed outside of the cluster manually)
## Installation
### Create Kubernetes Namespace
The Mongodb Enterprise Operator is installed, by default, into the `mongodb` Namespace, but this Namespace is not created automatically. To create this Namespace you should execute:
kubectl create namespace mongodb
If you plan on using any other Namespace, please make sure you update the yaml files' `metadata.namespace` attribute to
point to your preferred Namespace. If using `helm` you need to override the `namespace` attribute with `--set namespace=<..>`
during helm installation
### Installation using yaml files
#### Create CustomResourceDefinitions
The `CustomResourceDefinition` (or `crds`) should be installed before installing the operator into your Kubernetes cluster. To do this, make sure you have logged into your Kubernetes cluster and that you can perform Cluster level operations:
kubectl apply -f https://raw.githubusercontent.com/mongodb/mongodb-enterprise-kubernetes/master/crds.yaml
This will create a new `crd` in your cluster, `MongoDB`. This new object will be the one used by the operator to perform the MongoDb operations needed to prepare each one of the different MongoDb types of deployments.
#### Operator Installation
> In order to install the Operator in OpenShift, please follow [these](openshift-install.md) instructions instead.
This operator can also be installed using yaml files, in case you are not using Helm. You may apply the config directly from github clone this repo, and apply the file
kubectl apply -f https://raw.githubusercontent.com/mongodb/mongodb-enterprise-kubernetes/master/mongodb-enterprise.yaml
or clone this repo, make any edits you need, and apply it from your machine.
kubectl apply -f mongodb-enterprise.yaml
### Installation using Helm Chart
If you have installed the Helm client locally then you can run (note that `helm install` is a less preferred way as makes upgrades more complicated.
`kubectl apply` is a much clearer way of installing/upgrading):
helm template helm_chart > operator.yaml
kubectl apply -f operator.yaml
You can customize installation by simple overriding of helm variables, for example use `--set operator.env="dev"` to run the Operator in development mode
(this will turn logging level to `Debug` and will make logging output as non-json)
Pass the `--values helm_chart/values-openshift.yaml` parameter if you want to install the Operator to an OpenShift cluster.
You need to specify the image pull secret name using `--set registry.imagePullSecrets=<secret_name>`
Check the end of the page for instructions on how to remove the Operator.
## MongoDB Resource ##
*This section describes how to create the MongoDB resource. Follow the next section on how to work with Ops Manager resource.*
### Adding Ops Manager Credentials ###
For the Operator to work, you will need the following information:
* Base URL - the URL of an Ops Manager instance
* (optionally) Project Name - the name of an Ops Manager Project where MongoDBs will be deployed into. It will be
created by the Operator if it doesn't exist (and this is the recommended way instead of reusing the project created
in OpsManager directly). If omitted the name of the MongoDB resource will be used as a project name.
* (optionally) Organization ID - the ID of the organization which the Project belongs to. The Operator will create
an Organization with the same name as the Project if Organization ID is omitted.
* API Credentials. This can be any pair of:
* Public and Private Programmatic API keys. They correspond to `user` and `publicApiKey` fields in the Secret storing
credentials. More information about the way to create them using Ops Manager UI can be found
[here](https://docs.opsmanager.mongodb.com/current/tutorial/configure-public-api-access/#programmatic-api-keys)
* Username and Public API key. More information about the way to create them using Ops Manager UI can be found
[here](https://docs.opsmanager.mongodb.com/current/tutorial/configure-public-api-access/#personal-api-keys-deprecated)
Note that you must whitelist the IP
range of your Kubernetes cluster so that the Operator could make API requests to Ops Manager
This is documented in greater detail in our [installation guide](https://docs.opsmanager.mongodb.com/current/tutorial/install-k8s-operator)
### Projects ###
A `Project` object is a Kubernetes `ConfigMap` that points to an Ops Manager installation and a `Project`. This `ConfigMap` has the following structure:
```
$ cat my-project.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: my-project
namespace: mongodb
data:
projectName: myProjectName # this is an optional parameter
orgId: 5b890e0feacf0b76ff3e7183 # this is an optional parameter
baseUrl: https://my-ops-manager-or-cloud-manager-url
```
> Note, that if `orgId` is skipped then the new organization named `projectName` will be automatically created and new
project will be added there.
> If `projectName` is skipped the project created in Ops Manager will get the same name as the MongoDB object
Apply this file to create the new `Project`:
kubectl apply -f my-project.yaml
### Credentials ###
For a user to be able to create or update objects in this Ops Manager Project they need either a Public API Key or a
Programmatic API Key. These will be held by Kubernetes as a `Secret` object. You can create this Secret with the following command:
``` bash
$ kubectl -n mongodb create secret generic my-credentials --from-literal="user=some@example.com" --from-literal="publicApiKey=my-public-api-key"
```
### Creating a MongoDB Resource ###
A MongoDB resource in Kubernetes is a MongoDB (short name `mdb`). We are going to create a replica set to test that everything is working as expected. There is a MongoDB replica set yaml file in `samples/mongodb/minimal/replica-set.yaml`.
If you have a correctly created Project with the name `my-project` and Credentials stored in a secret called `my-credentials` then, after applying this file then everything should be running and a new Replica Set with 3 members should soon appear in Ops Manager UI.
kubectl apply -f samples/mongodb/minimal/replica-set.yaml
## MongoDBOpsManager Resource ##
This section describes how to create the Ops Manager Custom Resource in Kubernetes. Note, that this requires all
the CRDs and the Operator application to be installed as described above.
### Create Admin Credentials Secret ###
Before creating the Ops Manager resource you need to prepare the information about the admin user which will be
created automatically in Ops Manager. You can use the following command to do it:
```bash
$ kubectl create secret generic ops-manager-admin-secret --from-literal=Username="jane.doe@example.com" --from-literal=Password="Passw0rd." --from-literal=FirstName="Jane" --from-literal=LastName="Doe" -n <namespace>
```
Note, that the secret is needed only during the initialization of the Ops Manager object - you can remove it or
change the password using Ops Manager UI after the Ops Manager object was created
### Create MongoDBOpsManager Resource ###
Use the file `samples/ops-manager/ops-manager.yaml`. Edit the fields and create the object in Kubernetes:
```bash
$ kubectl apply -f samples/ops-manager/ops-manager.yaml
```
Note, that it takes up to 8 minutes to initialize the Application Database and start Ops Manager.
### (Optionally) Create a MongoDB Resource Referencing the MongoDBOpsManager
Now you can use the Ops Manager application to create MongoDB objects. You need to follow the
[instructions](https://docs.mongodb.com/kubernetes-operator/stable/tutorial/create-operator-credentials/#prerequisites)
to prepare keys and enable network access to Ops Manager.
Then you need to perform the standard steps necessary to create MongoDB resource:
* Create a [credentials Secret](https://docs.mongodb.com/kubernetes-operator/stable/tutorial/create-operator-credentials/#create-k8s-credentials)
* Create a [connection ConfigMap](https://docs.mongodb.com/kubernetes-operator/stable/tutorial/create-project-using-configmap/)
* Note, that you should use the value from `status.opsManager.url` in MongoDBOpsManager Resource as a value for `baseUrl` field in the ConfigMap
## Accessing Ops Manager UI (from a browser)
In order to access Ops Manager UI, from outside the Kubernetes cluster (from a browser), make sure you enable
`spec.externalConnectivity` in the Ops Manager resource definition. The easiest way is by configuring the LoadBalancer service type.
You will be able to fetch the URL to connect to Ops Manager UI from the `Service` created by the Operator.
## Deleting the Operator ##
It's important to keep correct order or removal operations. The simple rule is: **never remove Operator before MongoDB resources**!
The reason is that the Operator cleans state in Ops Manager on deletion of the MongoDB resource in Kubernetes.
These are the correct steps to remove any MongoDB Operator resources:
```bash
# this operation must be called first!
kubectl delete mdb --all -n <namespace>
# any of the following commands must be called after removing all existing mongodb resources
kubectl delete namespace <namespace>
kubectl delete deployment mongodb-enterprise-operator -n <namespace>
kubectl delete crd/mongodb.mongodb.com
kubectl delete crd/opsmanagers.mongodb.com
kubectl delete crd/mongodbusers.mongodb.com
```
## Contributing
Please file issues before filing PRs. For PRs to be accepted, contributors must sign our [CLA](https://www.mongodb.com/legal/contributor-agreement).
Reviewers, please ensure that the CLA has been signed by referring to [the contributors tool](https://contributors.corp.mongodb.com/) (internal link).
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: mongodb.mongodb.com
spec:
group: mongodb.com
version: v1
scope: Namespaced
names:
kind: MongoDB
plural: mongodb
shortNames:
- mdb
singular: mongodb
additionalPrinterColumns:
- name: Type
type: string
description: "The type of MongoDB deployment. One of 'ReplicaSet', 'ShardedCluster' and 'Standalone'."
JSONPath: .spec.type
- name: State
type: string
description: The current state of the MongoDB deployment.
JSONPath: .status.phase
- name: Version
type: string
description: The version of MongoDB.
JSONPath: .spec.version
- name: Age
type: date
description: The time since the MongoDB resource was created.
JSONPath: .metadata.creationTimestamp
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- credentials
- type
- version
oneOf:
- required: [cloudManager]
- required: [opsManager]
- required: [project]
properties:
type:
type: string
enum: ["Standalone", "ReplicaSet", "ShardedCluster"]
credentials:
type: string
project:
type: string
description: "DEPRECATED The name of a configMap in the same namespace"
opsManager:
type: object
properties:
configMapRef:
type: object
properties:
name:
type: string
cloudManager:
type: object
properties:
configMapRef:
type: object
properties:
name:
type: string
version:
type: string
pattern: "^[0-9]+.[0-9]+.[0-9]+(-.+)?$"
logLevel:
type: string
enum: ["DEBUG", "INFO", "WARN", "ERROR", "FATAL"]
persistent:
type: boolean
clusterName:
type: string
format: hostname
description: "DEPRECATED Use clusterDomain instead"
clusterDomain:
type: string
format: hostname
additionalMongodConfig:
type: object
exposedExternally:
type: boolean
agent:
type: object
properties:
startupOptions:
type: object
# Generic PodSpec configuration
podSpec:
type: object
properties:
podTemplate:
type: object
properties:
metadata:
type: object
spec:
type: object
podAntiAffinityTopologyKey:
type: string
cpu:
type: string
cpuRequests:
type: string
memory:
type: string
memoryRequests:
type: string
podAffinity:
type: object
nodeAffinity:
type: object
persistence:
type: object
properties:
single:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
multiple:
type: object
properties:
data:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
journal:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
logs:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
# TLS & authentication properties
security:
type: object
properties:
authentication:
type: object
properties:
agents:
type: object
properties:
mode:
type: string
enum: ["SCRAM", "X509", "LDAP"]
automationUsername:
type: string
automationPasswordSecretRef:
type: object
properties:
name:
type: string
key:
type: string
automationLdapGroupDN:
type: string
clientCertificateSecretRef:
type: object
properties:
name:
type: string
required:
- mode
enabled:
type: boolean
modes:
type: array
items:
type: string
enum: ["SCRAM", "X509", "LDAP"]
ignoreUnknownUsers:
type: boolean
requireClientTLSAuthentication:
type: boolean
tls:
type: object
properties:
enabled:
type: boolean
ca:
type: string
secretRef:
type: object
properties:
name:
type: string
additionalCertificateDomains:
type: array
items:
type: string
ldap:
type: object
properties:
bindQueryUser:
type: string
servers:
type: array
items:
type: string
transportSecurity:
type: string
enum: ["none", "tls"]
bindQueryPasswordSecretRef:
type: object
properties:
name:
type: string
caConfigMapRef:
type: object
authzQueryTemplate:
type: string
userToDNMapping:
type: string
roles:
type: array
description: "List of roles not bounded to specific users"
items:
type: object
properties:
role:
type: string
description: "The name of the role"
db:
type: string
description: "The db the role belongs to"
roles:
type: array
description: "List of roles this role inherits from"
items:
type: object
properties:
db:
type: string
description: "The db the role belongs to"
role:
type: string
description: "The name of the role"
authenticationRestrictions:
type: array
description: "List of restriction for users authenticating to this role"
items:
type: object
properties:
clientSource:
type: array
description: "List of IP addresses or CIDR ranges allowed the user can connect from"
items:
type: string
serverAddress:
type: array
description: "List of IP addresses or CIDR ranges allowed the user can connect to"
items:
type: string
privileges:
type: array
description: "List of privileges granted to this role"
items:
type: object
properties:
actions:
type: array
description: "List of actions allowed to this role"
items:
type: string
resource:
type: object
description: "Resource on which the privileges are granted"
properties:
db:
type: string
description: "Name of the database"
collection:
type: string
description: "Name of the collection"
cluster:
type: boolean
description: "True for cluster-wide privileges"
# Sharded Cluster properties
shardPodSpec:
type: object
properties:
podTemplate:
type: object
properties:
metadata:
type: object
spec:
type: object
podAntiAffinityTopologyKey:
type: string
cpu:
type: string
cpuRequests:
type: string
memory:
type: string
memoryRequests:
type: string
podAffinity:
type: object
nodeAffinity:
type: object
persistence:
type: object
properties:
single:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
multiple:
type: object
properties:
data:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
journal:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
logs:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
mongosPodSpec:
type: object
properties:
podTemplate:
type: object
properties:
metadata:
type: object
spec:
type: object
podAntiAffinityTopologyKey:
type: string
cpu:
type: string
cpuRequests:
type: string
memory:
type: string
memoryRequests:
type: string
podAffinity:
type: object
nodeAffinity:
type: object
persistence:
type: object
properties:
single:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
multiple:
type: object
properties:
data:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
journal:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
logs:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
configSrvPodSpec:
type: object
properties:
podTemplate:
type: object
properties:
metadata:
type: object
spec:
type: object
podAntiAffinityTopologyKey:
type: string
cpu:
type: string
cpuRequests:
type: string
memory:
type: string
memoryRequests:
type: string
podAffinity:
type: object
nodeAffinity:
type: object
persistence:
type: object
properties:
single:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
multiple:
type: object
properties:
data:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
journal:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
logs:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
configServerCount:
minimum: 1
type: integer
mongodsPerShardCount:
minimum: 1
type: integer
mongosCount:
minimum: 1
type: integer
shardCount:
minimum: 1
type: integer
mongos:
type: object
properties:
additionalMongodConfig:
type: object
agent:
type: object
properties:
startupOptions:
type: object
configSrv:
type: object
properties:
additionalMongodConfig:
type: object
agent:
type: object
properties:
startupOptions:
type: object
shard:
type: object
properties:
additionalMongodConfig:
type: object
agent:
type: object
properties:
startupOptions:
type: object
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: mongodbusers.mongodb.com
spec:
group: mongodb.com
version: v1
scope: Namespaced
names:
kind: MongoDBUser
plural: mongodbusers
shortNames:
- mdbu
singular: mongodbuser
additionalPrinterColumns:
- name: State
type: string
description: The current state of the MongoDB User
JSONPath: .status.phase
- name: Age
type: date
description: The time since the MongoDB User resource was created
JSONPath: .metadata.creationTimestamp
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
username:
type: string
description: "The username of the user"
db:
type: string
description: "The database the user is stored in"
project:
type: string
description: "The project the user belongs to"
passwordSecretKeyRef:
type: object
properties:
name:
type: string
key:
type: string
description: "DEPRECATED The project the user belongs to"
mongodbResourceRef:
type: object
properties:
name:
type: string
description: "The name of a MongoDB resource in the same namespace"
roles:
type: array
items:
type: object
properties:
name:
type: string
description: "The name of the role"
db:
type: string
description: "The db the role can act on"
passwordSecretKeyRef:
type: object
properties:
name:
type: string
key:
type: string
required:
- name
- db
required:
- username
- db
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: opsmanagers.mongodb.com
spec:
group: mongodb.com
version: v1
scope: Namespaced
names:
kind: MongoDBOpsManager
plural: opsmanagers
shortNames:
- om
singular: opsmanager
additionalPrinterColumns:
- name: Replicas
type: integer
description: The number of replicas of MongoDBOpsManager.
JSONPath: .spec.replicas
- name: Version
type: string
description: The version of MongoDBOpsManager.
JSONPath: .spec.version
- name: State (OpsManager)
type: string
description: The current state of the MongoDBOpsManager.
JSONPath: .status.opsManager.phase
- name: State (AppDB)
type: string
description: The current state of the MongoDBOpsManager Application Database.
JSONPath: .status.applicationDatabase.phase
- name: State (Backup)
type: string
description: The current state of the MongoDBOpsManager Backup Daemon.
JSONPath: .status.backup.phase
- name: Age
type: date
description: The time since the MongoDBOpsManager resource was created.
JSONPath: .metadata.creationTimestamp
- name: Warnings
type: string
description: Warnings
JSONPath: .status.warnings
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
version:
type: string
replicas:
minimum: 1
type: integer
clusterName:
type: string
format: hostname
description: "DEPRECATED Use clusterDomain instead"
clusterDomain:
type: string
format: hostname
security:
type: object
properties:
tls:
type: object
properties:
ca:
type: string
secretRef:
type: object
properties:
name:
type: string
required:
- name
adminCredentials:
type: string
externalConnectivity:
type: object
properties:
type:
type: string
enum: ["LoadBalancer", "NodePort"]
port:
type: integer
loadBalancerIP:
type: string
externalTrafficPolicy:
type: string
enum: ["Cluster", "Local"]
annotations:
type: object
required:
- type
configuration:
type: object
jvmParameters:
type: array
items:
type: string
statefulSet:
type: object
properties:
spec:
type: object
backup:
type: object
properties:
enabled:
type: boolean
jvmParameters:
type: array
items:
type: string
headDB:
type: object
properties:
storage:
type: string
storageClass:
type: string
opLogStores:
type: array
items:
type: object
properties:
name:
type: string
mongodbResourceRef:
type: object
properties:
name:
type: string
required:
- name
mongodbUserRef:
type: object
properties:
name:
type: string
required:
- name
required:
- name
- mongodbResourceRef
blockStores:
type: array
items:
type: object
properties:
name:
type: string
mongodbResourceRef:
type: object
properties:
name:
type: string
required:
- name
mongodbUserRef:
type: object
properties:
name:
type: string
required:
- name
required:
- name
- mongodbResourceRef
s3Stores:
type: array
items:
type: object
properties:
name:
type: string
mongodbResourceRef:
type: object
properties:
name:
type: string
required:
- name
mongodbUserRef:
type: object
properties:
name:
type: string
required:
- name
pathStyleAccessEnabled:
type: boolean
s3BucketEndpoint:
type: string
s3BucketName:
type: string
s3SecretRef:
type: object
properties:
name:
type: string
required:
- name
- pathStyleAccessEnabled
- s3BucketEndpoint
- s3BucketName
- s3SecretRef
statefulSet:
type: object
properties:
spec:
type: object
required:
- enabled
applicationDatabase:
type: object
properties:
passwordSecretKeyRef:
type: object
properties:
name:
type: string
key:
type: string
required:
- name
security:
type: object
properties:
tls:
type: object
properties:
ca:
type: string
secretRef:
type: object
properties:
name:
type: string
required:
- name
required:
- secretRef
members:
maximum: 50
minimum: 3
type: integer
version:
type: string
pattern: "^[0-9]+.[0-9]+.[0-9]+(-.+)?$|^$"
logLevel:
type: string
enum: ["DEBUG", "INFO", "WARN", "ERROR", "FATAL"]
persistent:
type: boolean
statefulSet:
type: object
properties:
spec:
type: object
agent:
type: object
properties:
startupOptions:
type: object
podSpec:
type: object
properties:
podTemplate:
type: object
properties:
metadata:
type: object
spec:
type: object
podAntiAffinityTopologyKey:
type: string
cpu:
type: string
cpuRequests:
type: string
memory:
type: string
memoryRequests:
type: string
podAffinity:
type: object
nodeAffinity:
type: object
persistence:
type: object
properties:
single:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
multiple:
type: object
properties:
data:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
journal:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
logs:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
required:
- members
required:
- version
- applicationDatabase
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mongodb-enterprise-operator-mongodb-webhook
rules:
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- validatingwebhookconfigurations
verbs:
- get
- create
- update
- delete
# OpenShift MongoDB Enterprise Kubernetes Operator
## Operator Service Catalog and Marketplace
This installation document is a guide for deploying MongoDB Enterprise Kubernetes Operator, Ops Manager and first MongoDB DataBase using OpenShift Operator catalog or Marketplace.
## Configuring required components
Step 1: Create a namespace to install MongoDB
```
oc create ns mongodb
```
Step 2: Install the operator in the cluster in the namespace created above
![Installed Operators](assets/image--000.png)
Step 3: Wait for the Operator to be deployed.
![Operator Installed](assets/image--002.png)
Step 4: Deploy MongoDB Ops Manager.
Ops Manager is an Enterprise Control Plane for all your MongoDB Clusters. It is a extensive application and may seem complicated. Please visit [Documentation](https://docs.mongodb.com/kubernetes-operator/stable/om-resources/) to plan and configure production deployments.
*Only a single Ops Manager deployment is required for all MongoDB clusters in your organization. This step could be skipped if Ops Manager is already deployed. Alternatively [Cloud Manager](https://cloud.mongodb.com) - hosted Ops Manager could be used instead.*
![Screenshot](assets/image--004.png)
To deploy a very simple Ops Manager configuration two steps are required.
1. Create Admin Credential Secret
```bash
create secret generic ops-manager-admin-secret \
--from-literal=Username="jane.doe@example.com" \
--from-literal=Password="Passw0rd." \
--from-literal=FirstName="Jane" \
--from-literal=LastName="Doe" -n mongodb
```
2. Deploy Ops Manager instance with CRD
![Screenshot](assets/image--008.png)
With sample yaml CRD definition
```yaml
apiVersion: mongodb.com/v1
kind: MongoDBOpsManager
metadata:
name: ops-manager
namespace: mongodb
spec:
# the version of Ops Manager to use
version: 4.4.1
# the name of the secret containing admin user credentials.
adminCredentials: ops-manager-admin-secret
externalConnectivity:
type: LoadBalancer
# the Replica Set backing Ops Manager.
# appDB has the SCRAM-SHA authentication mode always enabled
applicationDatabase:
members: 3
```
Change the `adminCredentials` property to link to the name of the secret created previously. In this example it is ops-manager-admin.
`Click create.`
>For more detailed installation visit our blog post: https://www.mongodb.com/blog/post/running-mongodb-ops-manager-in-kubernetes
Step 7: Verify MongoDB Ops Manager is successfully deployed. Verify Ops Manager resource and ensure that ops-manager resource reached Running state :
`oc describe om ops-manager`
>NOTE: Wait for the secret ops-manager-admin-key to be created. It contains Global Admin Programmatic API that will be required in the subsequent steps. We recommend to create new Programmatic API Key scoped to a single Ops Manager Organization https://docs.opsmanager.mongodb.com/rapid/tutorial/manage-programmatic-api-keys/#mms-prog-api-key
Please note OpsManager URL exposed by LoadBalancer before moving to the next Section
## Deploy MongoDB
In order to create MongoDB Cluster three Kubernetes resources need to be deployed. https://docs.mongodb.com/kubernetes-operator/stable/mdb-resources/
1. Kubernetes ConfigMap that contain settings for Operator to connect to Ops Manager
```bash
os create configmap <configmap-name> \
--from-literal="baseUrl=<OpsManagerURL>" \
--from-literal="projectName=<myOpsManagerProjectName>" \ #Optional
--from-literal="orgId=<Ops Manager OrgID>"
```
>OpsManagerURL is an Ops Manager url including port (default 8080) noted in Step 7.
>Documentation: https://docs.mongodb.com/kubernetes-operator/stable/tutorial/create-project-using-configmap/#create-k8s-project
2. Kubernetes Secret containing Programmatic API Key to Operator to connect to Ops Manager.
> ops-manager-admin-key secret could be used instead for none production deployments.
```
oc -n <metadata.namespace> \
create secret generic <myCredentials> \
--from-literal="user=<publicKey>" \
--from-literal="publicApiKey=<privateKey>"
```
For instructions on how to create Ops Manager Organization and Programmatic API Key please refer to documentation: https://docs.mongodb.com/kubernetes-operator/stable/tutorial/create-operator-credentials/#create-k8s-credentials
3. Deploy Ops Manager
![Deploy MongoDB](assets/image--030.png)
Click on the first tile to create the MongoDB Deployment Instance
![Deploy MongoDB](assets/image--032.png)
* Choose a name for MongoDB cluster 'metadata.name`
* Substitute the values `spec.OpsManager` with a reference to the config map `<configmap-name>`
* Substitute the values `spec.credentials` with secret name `<myCredentials>`.
`Click Create. `
>For comprehensive Documentation, please visit https://docs.mongodb.com/kubernetes-operator/stable/mdb-resources/
### Verify MongoDB cluster is operational
Verify Status of MongoDB Resource reached ``Running`` state
>Optionally monitor state of pods, sts and services linked to MongoDB CRD
![Deploy MongoDB](assets/image--034.png)
>Note: MongoDB Enterprise Operator logs are the best source to start troubleshooting any issues with deployments
### Connect to MongoDB Cluster
MongoDB Enterprise Operator create Kubernetes Service For each MongoDB deployed using default port 27017.
` <mongodb-service-name>.<k8s-namespace>.svc.<cluster-name>`
MongoDB Connection String could be built using SRV record
` mongodb+srv://<mongodb-service-name>.<k8s-namespace>.svc.<cluster-name>`
***In order to connect to MongoDB from outside of OpenShift cluster an ingress route needs to be created manually. Operator does not create ingress or external services.***
***MongoDB ReplicaSet External connectivity requires Split Horizon Configuration: [Connect to a MongoDB Database Resource from Outside Kubernetes](https://docs.mongodb.com/kubernetes-operator/stable/tutorial/connect-from-outside-k8s/)***
>EXAMPLE
To connect to a sharded cluster resource named shardedcluster, you might use the following connection string: <br/> ``mongo --host shardedcluster-mongos-0.shardedcluster-svc.mongodb.svc.cluster.local --port 27017``
name: mongodb-enterprise-operator
description: MongoDB Kubernetes Enterprise Operator
version: 1.8.0
kubeVersion: '>=1.13-0'
keywords:
- mongodb
- database
- nosql
home: https://github.com/mongodb/mongodb-enterprise-kubernetes
maintainers:
- name: Cloud Team
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: mongodb.mongodb.com
spec:
group: mongodb.com
version: v1
scope: Namespaced
names:
kind: MongoDB
plural: mongodb
shortNames:
- mdb
singular: mongodb
additionalPrinterColumns:
- name: Type
type: string
description: "The type of MongoDB deployment. One of 'ReplicaSet', 'ShardedCluster' and 'Standalone'."
JSONPath: .spec.type
- name: State
type: string
description: The current state of the MongoDB deployment.
JSONPath: .status.phase
- name: Version
type: string
description: The version of MongoDB.
JSONPath: .spec.version
- name: Age
type: date
description: The time since the MongoDB resource was created.
JSONPath: .metadata.creationTimestamp
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- credentials
- type
- version
oneOf:
- required: [cloudManager]
- required: [opsManager]
- required: [project]
properties:
type:
type: string
enum: ["Standalone", "ReplicaSet", "ShardedCluster"]
credentials:
type: string
project:
type: string
description: "DEPRECATED The name of a configMap in the same namespace"
opsManager:
type: object
properties:
configMapRef:
type: object
properties:
name:
type: string
cloudManager:
type: object
properties:
configMapRef:
type: object
properties:
name:
type: string
version:
type: string
pattern: "^[0-9]+.[0-9]+.[0-9]+(-.+)?$"
logLevel:
type: string
enum: ["DEBUG", "INFO", "WARN", "ERROR", "FATAL"]
persistent:
type: boolean
clusterName:
type: string
format: hostname
description: "DEPRECATED Use clusterDomain instead"
clusterDomain:
type: string
format: hostname
additionalMongodConfig:
type: object
exposedExternally:
type: boolean
agent:
type: object
properties:
startupOptions:
type: object
# Generic PodSpec configuration
podSpec:
type: object
properties:
podTemplate:
type: object
properties:
metadata:
type: object
spec:
type: object
podAntiAffinityTopologyKey:
type: string
cpu:
type: string
cpuRequests:
type: string
memory:
type: string
memoryRequests:
type: string
podAffinity:
type: object
nodeAffinity:
type: object
persistence:
type: object
properties:
single:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
multiple:
type: object
properties:
data:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
journal:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
logs:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
# TLS & authentication properties
security:
type: object
properties:
authentication:
type: object
properties:
agents:
type: object
properties:
mode:
type: string
enum: ["SCRAM", "X509", "LDAP"]
automationUsername:
type: string
automationPasswordSecretRef:
type: object
properties:
name:
type: string
key:
type: string
automationLdapGroupDN:
type: string
clientCertificateSecretRef:
type: object
properties:
name:
type: string
required:
- mode
enabled:
type: boolean
modes:
type: array
items:
type: string
enum: ["SCRAM", "X509", "LDAP"]
ignoreUnknownUsers:
type: boolean
requireClientTLSAuthentication:
type: boolean
tls:
type: object
properties:
enabled:
type: boolean
ca:
type: string
secretRef:
type: object
properties:
name:
type: string
additionalCertificateDomains:
type: array
items:
type: string
ldap:
type: object
properties:
bindQueryUser:
type: string
servers:
type: array
items:
type: string
transportSecurity:
type: string
enum: ["none", "tls"]
bindQueryPasswordSecretRef:
type: object
properties:
name:
type: string
caConfigMapRef:
type: object
authzQueryTemplate:
type: string
userToDNMapping:
type: string
roles:
type: array
description: "List of roles not bounded to specific users"
items:
type: object
properties:
role:
type: string
description: "The name of the role"
db:
type: string
description: "The db the role belongs to"
roles:
type: array
description: "List of roles this role inherits from"
items:
type: object
properties:
db:
type: string
description: "The db the role belongs to"
role:
type: string
description: "The name of the role"
authenticationRestrictions:
type: array
description: "List of restriction for users authenticating to this role"
items:
type: object
properties:
clientSource:
type: array
description: "List of IP addresses or CIDR ranges allowed the user can connect from"
items:
type: string
serverAddress:
type: array
description: "List of IP addresses or CIDR ranges allowed the user can connect to"
items:
type: string
privileges:
type: array
description: "List of privileges granted to this role"
items:
type: object
properties:
actions:
type: array
description: "List of actions allowed to this role"
items:
type: string
resource:
type: object
description: "Resource on which the privileges are granted"
properties:
db:
type: string
description: "Name of the database"
collection:
type: string
description: "Name of the collection"
cluster:
type: boolean
description: "True for cluster-wide privileges"
# Sharded Cluster properties
shardPodSpec:
type: object
properties:
podTemplate:
type: object
properties:
metadata:
type: object
spec:
type: object
podAntiAffinityTopologyKey:
type: string
cpu:
type: string
cpuRequests:
type: string
memory:
type: string
memoryRequests:
type: string
podAffinity:
type: object
nodeAffinity:
type: object
persistence:
type: object
properties:
single:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
multiple:
type: object
properties:
data:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
journal:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
logs:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
mongosPodSpec:
type: object
properties:
podTemplate:
type: object
properties:
metadata:
type: object
spec:
type: object
podAntiAffinityTopologyKey:
type: string
cpu:
type: string
cpuRequests:
type: string
memory:
type: string
memoryRequests:
type: string
podAffinity:
type: object
nodeAffinity:
type: object
persistence:
type: object
properties:
single:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
multiple:
type: object
properties:
data:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
journal:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
logs:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
configSrvPodSpec:
type: object
properties:
podTemplate:
type: object
properties:
metadata:
type: object
spec:
type: object
podAntiAffinityTopologyKey:
type: string
cpu:
type: string
cpuRequests:
type: string
memory:
type: string
memoryRequests:
type: string
podAffinity:
type: object
nodeAffinity:
type: object
persistence:
type: object
properties:
single:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
multiple:
type: object
properties:
data:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
journal:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
logs:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
configServerCount:
minimum: 1
type: integer
mongodsPerShardCount:
minimum: 1
type: integer
mongosCount:
minimum: 1
type: integer
shardCount:
minimum: 1
type: integer
mongos:
type: object
properties:
additionalMongodConfig:
type: object
agent:
type: object
properties:
startupOptions:
type: object
configSrv:
type: object
properties:
additionalMongodConfig:
type: object
agent:
type: object
properties:
startupOptions:
type: object
shard:
type: object
properties:
additionalMongodConfig:
type: object
agent:
type: object
properties:
startupOptions:
type: object
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: mongodbusers.mongodb.com
spec:
group: mongodb.com
version: v1
scope: Namespaced
names:
kind: MongoDBUser
plural: mongodbusers
shortNames:
- mdbu
singular: mongodbuser
additionalPrinterColumns:
- name: State
type: string
description: The current state of the MongoDB User
JSONPath: .status.phase
- name: Age
type: date
description: The time since the MongoDB User resource was created
JSONPath: .metadata.creationTimestamp
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
username:
type: string
description: "The username of the user"
db:
type: string
description: "The database the user is stored in"
project:
type: string
description: "The project the user belongs to"
passwordSecretKeyRef:
type: object
properties:
name:
type: string
key:
type: string
description: "DEPRECATED The project the user belongs to"
mongodbResourceRef:
type: object
properties:
name:
type: string
description: "The name of a MongoDB resource in the same namespace"
roles:
type: array
items:
type: object
properties:
name:
type: string
description: "The name of the role"
db:
type: string
description: "The db the role can act on"
passwordSecretKeyRef:
type: object
properties:
name:
type: string
key:
type: string
required:
- name
- db
required:
- username
- db
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: opsmanagers.mongodb.com
spec:
group: mongodb.com
version: v1
scope: Namespaced
names:
kind: MongoDBOpsManager
plural: opsmanagers
shortNames:
- om
singular: opsmanager
additionalPrinterColumns:
- name: Replicas
type: integer
description: The number of replicas of MongoDBOpsManager.
JSONPath: .spec.replicas
- name: Version
type: string
description: The version of MongoDBOpsManager.
JSONPath: .spec.version
- name: State (OpsManager)
type: string
description: The current state of the MongoDBOpsManager.
JSONPath: .status.opsManager.phase
- name: State (AppDB)
type: string
description: The current state of the MongoDBOpsManager Application Database.
JSONPath: .status.applicationDatabase.phase
- name: State (Backup)
type: string
description: The current state of the MongoDBOpsManager Backup Daemon.
JSONPath: .status.backup.phase
- name: Age
type: date
description: The time since the MongoDBOpsManager resource was created.
JSONPath: .metadata.creationTimestamp
- name: Warnings
type: string
description: Warnings
JSONPath: .status.warnings
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
version:
type: string
replicas:
minimum: 1
type: integer
clusterName:
type: string
format: hostname
description: "DEPRECATED Use clusterDomain instead"
clusterDomain:
type: string
format: hostname
security:
type: object
properties:
tls:
type: object
properties:
ca:
type: string
secretRef:
type: object
properties:
name:
type: string
required:
- name
adminCredentials:
type: string
externalConnectivity:
type: object
properties:
type:
type: string
enum: ["LoadBalancer", "NodePort"]
port:
type: integer
loadBalancerIP:
type: string
externalTrafficPolicy:
type: string
enum: ["Cluster", "Local"]
annotations:
type: object
required:
- type
configuration:
type: object
jvmParameters:
type: array
items:
type: string
statefulSet:
type: object
properties:
spec:
type: object
backup:
type: object
properties:
enabled:
type: boolean
jvmParameters:
type: array
items:
type: string
headDB:
type: object
properties:
storage:
type: string
storageClass:
type: string
opLogStores:
type: array
items:
type: object
properties:
name:
type: string
mongodbResourceRef:
type: object
properties:
name:
type: string
required:
- name
mongodbUserRef:
type: object
properties:
name:
type: string
required:
- name
required:
- name
- mongodbResourceRef
blockStores:
type: array
items:
type: object
properties:
name:
type: string
mongodbResourceRef:
type: object
properties:
name:
type: string
required:
- name
mongodbUserRef:
type: object
properties:
name:
type: string
required:
- name
required:
- name
- mongodbResourceRef
s3Stores:
type: array
items:
type: object
properties:
name:
type: string
mongodbResourceRef:
type: object
properties:
name:
type: string
required:
- name
mongodbUserRef:
type: object
properties:
name:
type: string
required:
- name
pathStyleAccessEnabled:
type: boolean
s3BucketEndpoint:
type: string
s3BucketName:
type: string
s3SecretRef:
type: object
properties:
name:
type: string
required:
- name
- pathStyleAccessEnabled
- s3BucketEndpoint
- s3BucketName
- s3SecretRef
statefulSet:
type: object
properties:
spec:
type: object
required:
- enabled
applicationDatabase:
type: object
properties:
passwordSecretKeyRef:
type: object
properties:
name:
type: string
key:
type: string
required:
- name
security:
type: object
properties:
tls:
type: object
properties:
ca:
type: string
secretRef:
type: object
properties:
name:
type: string
required:
- name
required:
- secretRef
members:
maximum: 50
minimum: 3
type: integer
version:
type: string
pattern: "^[0-9]+.[0-9]+.[0-9]+(-.+)?$|^$"
logLevel:
type: string
enum: ["DEBUG", "INFO", "WARN", "ERROR", "FATAL"]
persistent:
type: boolean
statefulSet:
type: object
properties:
spec:
type: object
agent:
type: object
properties:
startupOptions:
type: object
podSpec:
type: object
properties:
podTemplate:
type: object
properties:
metadata:
type: object
spec:
type: object
podAntiAffinityTopologyKey:
type: string
cpu:
type: string
cpuRequests:
type: string
memory:
type: string
memoryRequests:
type: string
podAffinity:
type: object
nodeAffinity:
type: object
persistence:
type: object
properties:
single:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
multiple:
type: object
properties:
data:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
journal:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
logs:
type: object
properties:
storage:
type: string
storageClass:
type: string
labelSelector:
type: object
required:
- members
required:
- version
- applicationDatabase
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mongodb-enterprise-operator-mongodb-webhook
rules:
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- validatingwebhookconfigurations
verbs:
- get
- create
- update
- delete
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mongodb-enterprise-appdb
{{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
namespace: {{ .Values.operator.watchNamespace }}
{{- else }}
namespace: {{ .Values.namespace }}
{{- end }}
{{- if .Values.registry.imagePullSecrets}}
imagePullSecrets:
- name: {{ .Values.registry.imagePullSecrets }}
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mongodb-enterprise-database-pods
{{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
namespace: {{ .Values.operator.watchNamespace }}
{{- else }}
namespace: {{ .Values.namespace }}
{{- end }}
{{- if .Values.registry.imagePullSecrets}}
imagePullSecrets:
- name: {{ .Values.registry.imagePullSecrets }}
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mongodb-enterprise-ops-manager
{{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
namespace: {{ .Values.operator.watchNamespace }}
{{- else }}
namespace: {{ .Values.namespace }}
{{- end }}
{{- if .Values.registry.imagePullSecrets}}
imagePullSecrets:
- name: {{ .Values.registry.imagePullSecrets }}
{{- end }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mongodb-enterprise-appdb
{{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
namespace: {{ .Values.operator.watchNamespace }}
{{- else }}
namespace: {{ .Values.namespace }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mongodb-enterprise-appdb
{{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
namespace: {{ .Values.operator.watchNamespace }}
{{- else }}
namespace: {{ .Values.namespace }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: mongodb-enterprise-appdb
subjects:
- kind: ServiceAccount
name: mongodb-enterprise-appdb
{{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
namespace: {{ .Values.operator.watchNamespace }}
{{- else }}
namespace: {{ .Values.namespace }}
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.operator.name }}
{{- if .Values.namespace }}
namespace: {{ .Values.namespace }}
{{- end }}
{{- if .Values.registry.imagePullSecrets}}
imagePullSecrets:
- name: {{ .Values.registry.imagePullSecrets }}
{{- end }}
---
kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Values.operator.name }}
{{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
namespace: {{ .Values.operator.watchNamespace }}
{{- else }}
namespace: {{ .Values.namespace }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- secrets
- services
verbs:
- get
- list
- create
- update
- delete
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- create
- get
- list
- watch
- delete
- update
{{- if eq (.Values.operator.watchNamespace | default "") "*" }}
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- watch
{{- end}}
- apiGroups:
- mongodb.com
resources:
- mongodb
- mongodb/finalizers
- mongodbusers
- opsmanagers
- opsmanagers/finalizers
{{- if .Values.subresourceEnabled }}
- mongodb/status
- mongodbusers/status
- opsmanagers/status
{{- end }}
verbs:
- "*"
# This ClusterRoleBinding is necessary in order to use validating
# webhooks—these will prevent you from applying a variety of invalid resource
# definitions. The validating webhooks are optional so this can be removed if
# necessary.
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Values.operator.name }}-{{ .Values.namespace }}-webhook-binding
namespace: {{ .Values.namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: mongodb-enterprise-operator-mongodb-webhook
subjects:
- kind: ServiceAccount
name: {{ .Values.operator.name }}
namespace: {{ .Values.namespace }}
---
kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRoleBinding {{ else }} RoleBinding {{ end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Values.operator.name }}
{{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
namespace: {{ .Values.operator.watchNamespace }}
{{- else }}
namespace: {{ .Values.namespace }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }}
name: {{ .Values.operator.name }}
subjects:
- kind: ServiceAccount
name: {{ .Values.operator.name }}
{{- if .Values.namespace }}
namespace: {{ .Values.namespace }}
{{- end }}
# This ClusterRole is needed if the user wants to use the Kubernetes CA
# infrastructure to generate certificates.
{{- if .Values.needsCAInfrastructure }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Values.operator.name }}-{{ .Values.namespace }}-certs
rules:
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- create
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Values.operator.name }}-{{ .Values.namespace }}-certs-binding
namespace: {{ .Values.namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Values.operator.name }}-{{ .Values.namespace }}-certs
subjects:
- kind: ServiceAccount
name: {{ .Values.operator.name }}
namespace: {{ .Values.namespace }}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.operator.name }}
{{- if .Values.namespace }}
namespace: {{ .Values.namespace }}
{{- end }}
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: {{ .Values.operator.name }}
app.kubernetes.io/instance: {{ .Values.operator.name }}
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: {{ .Values.operator.name }}
app.kubernetes.io/instance: {{ .Values.operator.name }}
spec:
serviceAccountName: {{ .Values.operator.name }}
{{- if not .Values.managedSecurityContext }}
securityContext:
runAsNonRoot: true
runAsUser: 2000
{{- end }}
{{- if .Values.registry.imagePullSecrets}}
imagePullSecrets:
- name: {{ .Values.registry.imagePullSecrets }}
{{- end }}
containers:
- name: {{ .Values.operator.deployment_name }}
image: {{ .Values.registry.operator }}/{{ .Values.operator.name }}:{{ .Values.operator.version }}
imagePullPolicy: {{ .Values.registry.pullPolicy }}
{{- if .Values.operator.watchedResources }}
args:
{{- range .Values.operator.watchedResources }}
- "-watch-resource={{ . }}"
{{- end }}
command:
- "/usr/local/bin/mongodb-enterprise-operator"
{{- end }}
env:
- name: OPERATOR_ENV
value: {{ .Values.operator.env }}
- name: WATCH_NAMESPACE
{{- if .Values.operator.watchNamespace}}
value: "{{ .Values.operator.watchNamespace }}"
{{- else }}
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- end }}
- name: CURRENT_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if eq .Values.managedSecurityContext true }}
- name: MANAGED_SECURITY_CONTEXT
value: 'true'
{{- end }}
- name: IMAGE_PULL_POLICY
value: {{ .Values.registry.pullPolicy }}
# Database
- name: MONGODB_ENTERPRISE_DATABASE_IMAGE
value: {{ .Values.registry.database }}/{{ .Values.database.name }}
- name: INIT_DATABASE_IMAGE_REPOSITORY
value: {{ .Values.registry.initDatabase }}/{{ .Values.initDatabase.name }}
- name: INIT_DATABASE_VERSION
value: {{ .Values.initDatabase.version }}
- name: DATABASE_VERSION
value: {{ .Values.database.version }}
# Ops Manager
- name: OPS_MANAGER_IMAGE_REPOSITORY
value: {{ .Values.registry.opsManager }}/{{ .Values.opsManager.name }}
- name: INIT_OPS_MANAGER_IMAGE_REPOSITORY
value: {{ .Values.registry.initOpsManager }}/{{ .Values.initOpsManager.name }}
- name: INIT_OPS_MANAGER_VERSION
value: {{ .Values.initOpsManager.version }}
# AppDB
- name: APPDB_IMAGE_REPOSITORY
value: {{ .Values.registry.appDb }}/{{ .Values.appDb.name }}
- name: INIT_APPDB_IMAGE_REPOSITORY
value: {{ .Values.registry.initAppDb }}/{{ .Values.initAppDb.name }}
- name: INIT_APPDB_VERSION
value: {{ .Values.initAppDb.version }}
- name: OPS_MANAGER_IMAGE_PULL_POLICY
value: {{ .Values.registry.pullPolicy }}
{{- if .Values.registry.imagePullSecrets }}
- name: IMAGE_PULL_SECRETS
value: {{ .Values.registry.imagePullSecrets }}
{{- end }}
{{- if .Values.debug }}
---
apiVersion: v1
kind: Service
metadata:
name: debug-svc
spec:
type: NodePort
ports:
- nodePort: {{ .Values.debugPort }}
port: 40000
protocol: TCP
selector:
app: {{ .Values.operator.name }}
{{- end }}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment